Bitácora de Ivan

Ens n’anem enlloc

Hola! Aquesta és l’última entrada d’aquest lloc, que aviat esdevindrà de només lectura. A partir d’ara publicaré a Meshclat, el meu nou enlloc web, disponible també via IPFS i via ZeroNet. Ens hi veem!

IPv6 local router with privacy-preserving addresses

In IPv6 everywhere with tinc we saw how to use a tinc VPN to let a host with its own public IPv6 network provide entire subnetworks to remote devices like home computers.

The setup allows each device to have its own public IPv6 addresses to access or provide services to the IPv6 Internet. However, with such a setup the device always uses the same address for outgoing traffic, which may be awful for end-user devices from the privacy perspective, since they are very easy to be uniquely identified worldwide.

Also, the network topology diagram in that post showed that each device may serve its /64 public IPv6 network locally, thus allowing other hosts in the local network to also have full public IPv6. A very simple setup using IPv6 stateless address autoconfiguration (SLAAC) for such hosts, based on the IPv6 router advertisement daemon (radvd) is explained here. However, autoconfigured addresses have the very nasty effect of revealing the host's MAC address, which is even worse privacy-wise since hosts become uniquely identifiable regardless of the network they are in (see this post for a deeper discussion).

This article explains how to easily configure a Debian IPv6 router and its hosts to use temporary IPv6 addresses (privacy extensions for SLAAC) that avoid the problems mentioned above.

Remote automatic desktop session with Debian and VNC/X2Go

This post briefly describes a setup used for performing UI-based testing of Bitsquare. It consists of a headless Debian server (physical, though it may perfectly be some virtual machine or even a container) which, on boot, automatically starts an X session and makes it available via VNC and X2Go (since there is no monitor to access the session on).

This setup allows to automatically start UI tests on boot and later connect to the graphical session if needed.

Colaua: GNU social conversations in static HTML pages

The progressive adoption of static site generators (or SSGs, like Jekyll or Nikola) for blogs has resulted in many sites dropping comments (i.e. dynamic content), which is detrimental to the use of blogs as a medium for thoughtful and diverse conversation. To avoid this loss of functionalty, other static sites have instead opted for centralized, closed and mutually incompatible platforms (like Disqus or IntenseDebate) to host their comments. However this adds to the recentralization trend that is plaguing the Internet in the latest years.

There are Free Software alternatives (like Isso) that allow people to run their own comment servers. However, they still keep the comments of each site as a closed silo. In contrast, some months ago Enkidu (Las Indias) started the development of the WP-GNU social WordPress plugin, which uses conversations in GNU social (a federated microblogging system) as a replacement for classic site-only comments.

In a similar spirit, Colaua augments static HTML pages with conversations hosted in GNU social. The conversation itself is fetched from the GNU social API using JavaScript code running in the browser and then dynamically included in the post's comment section. This obviates the need for dynamic server code (like PHP), keeping the pages amenable to store in distributed systems like IPFS or ZeroNet.

Internet com a bé comú (i neutral)

Molt interessant la conferència Internet as a Commons: Public Space in the Digital Age oferida per diferents implicats en l’economia de bens comuns (entre ells Leandro Navarro de la UPC per guifi.net) al Parlament Europeu (introducció i dues parts). Llàstima que els parlamentaris acabaren poc després votant contra la neutralitat d’Internet a la Unió Europea. Més barreres d’entrada per als jugadors menuts de la Xarxa.

Rellotge biològic

Des de feia un temps em cridava l’atenció el fet de que, quan estava a casa atrafegat ultimant alguna tasca abans d’eixir exhalat cap a una cita o compromís, mirava el rellotge ràpidament i semblava encertar l’hora amb un marge d’error curiosament menut. Per a la meua sorpresa, quan vaig començar a convertir en rutina el fet de provar d’encertar l’hora abans de mirar el rellotge, vaig comprovar que cada volta m’aproximava més i més a l’hora real i que augmentaven els cops en què simplement l’encertava exactament. No va passar molt de temps abans de que començara a sospitar que no era jo qui cada volta encertava millor l’hora, sinó que eren els rellotges del meu voltant els que semblaven començar a obeir les meues prediccions…

Nou lloc de GNU social a ElVil.net

Fa uns dies vaig configurar una nova instància de GNU social per a poder compartir comentaris i enllaços de forma més immediata. Està enllaçada des del menú principal de dalt (com a Social) i podeu visitar‐la ací. Espere que siga útil i divertida! El proper experiment serà probablement amb Hubzilla.

Marble Madness vs. Marble Zone

Umm, ¿només sóc jo o no vos sembla que la música del segon nivell de Sonic the Hedgehog de la Mega Drive, anomenat Marble Zone (mostra), s’assembla asombrosament a la música del segon nivell de Marble Madness (mostra)? A banda dels noms Marble Zone i Marble Madness, el creador d’aquest últim, Mark Cerny, va treballar per a Sega en Sonic 2. Curiós…

Revelació konamística

Hui m’he fixat per casualitat en una moto de Suzuki anomenada Gladius i de cop i volta m’he sentit iŀluminat: ¿i si gladius, espasa en llatí, fóra la lectura correcta de グラディウス, és a dir, Gradius, la famosa saga de matamarcians de Konami? Algú deuria confondre la r amb la l en fer la transcripció! Els de Suzuki no repetiren l’errada o els hauria quedat tot un homenatge (dir‐li Vic Viper a la moto hauria sigut massa descarat). Actualització 21:16: Blizzard m’indica que la similaritat entre gradius i gladius és probablement pura coincidència… Una aplicació de la Llei de Cunningham en tota regla! ;)

Ciutat Morta

Hui he tingut la sort d’assistir a l’estrena en cinema de Ciutat Morta, l’impactant documental sobre els fets de l’anomenat 4F i la trama de mentides i encobriments policials, judicials, polítics i mediàtics que acabaren amb el suïcidi de Patricia Heras després de l’acusació, judici, condemna i empresonament per un delicte d’intent d’homicidi d’un policia de Barcelona en què ella no va tenir absolutament res a veure. Un documental dur, molt dur i absolutament imprescindible per a comprendre aquesta ciutat.

El peix hexadecimal

Escoltava hui el podcast de cienciaes.com sobre l’Acanthostega, un peix del Devonià. Es tracta del primer animal del que es sap que tenia dits, i en tenia 8 per pota, el que em fa pensar en quina oportunitat perduda per a l’evolució de que ara estiguérem comptant tots naturalment en hexadecimal.

Last CONFINE news of 2013

It's been more than half a year since my last post on CONFINE, which may give you an idea of the feverish months we've had at the project. We still are in that rush, but the Christmas days bring a little calm so I won't miss the chance of writing one last post for this year.

Refugios de Juego

Refugios de Juego és el nou projecte pedagògic del meu germà Omar, al que ha estat dedicant molta iŀlusió i esforç durant els últims mesos. Una proposta innovadora per a l’aprenentatge en llibertat i no competitiu basat en el joc i l’exploració. Et desitge tota la sort del món amb els refugis, Omar!

Wheezy Debian template, overhaul of VCT container

After upgrading the VCT container to Wheezy, the turn came to the Debian sliver template. Besides the upgrade, I decided to make templates more useful by including enough configuration (to be discarded during sliver deployment in a node) as for being directly usable as containers for testing in one's PC. Since the template comes in a read-only Squashfs I included instructions on how to unpack the template into the local file system, but I also had a good time using LXC mount hooks to place a writable directory on top of the read-only template using AuFS or overlayfs. I also tried a more sophisticated approach which has the writable directory loop-mounted from a fixed-size image file, a simple and neat way to limit the disk space used by a container. Serge Hallyn liked the idea a lot, but unfortunately on container stop the image doesn't get properly unmounted and loop devices remain undetachable.

Also, while testing on Ubuntu hosts I found that the read-only proc causes the error "lxc-start: Read-only file system - failed to change apparmor profile to lxc-container-default", so I made it writable since it is now supposed to be properly isolated from the host's proc. I also found that keeping the sys_boot capability makes possible to halt and reboot the container properly (regardless of Debian bug 706676). :)

I also added these latter fixes to the VCT container, but the really important change is how CONFINE software is now installed in it. Previously, the container only included a clone of the confine-dist repository (which includes VCT), a bare installation of the at-the-time-latest confine-controller, and their dependencies. The software wasn't configured at all. This saved some download time for some software, but VCT installation and configuration always had to be run, which resulted in software being downloaded and replaced and more data files (node images and sliver templates) being downloaded. It also implied that container preparation had to somehow replicate VCT and controller installation.

To avoid these problems and provide a container where VCT can be run out of the box with no installation or downloads whatsoever, I changed the way the container is prepared to simply include an invocation of vct_system_install. This simplified its preparation, installation and usage enormously, of course at the price of having a bigger container image that includes all downloaded files. However users will be glad to know that they only need to run vct_system_init to have a working VCT environment. :)

Typical morning session

While writing a mail to help some colleague in CONFINE connect his research device to Community-Lab's management network, I find one bug in our software. While reporting the bug, I find two more bugs. While reporting one of the latter bugs, I find a bug in Redmine. This starts to look like a software development version of Inception.

Wheezy VCT container, Internet access for slivers

With the recent launch of the new Debian 7.0 “Wheezy”, some users that were testing the CONFINE controller found some incompatibilities between Wheezy and the previous Debian “Squeeze” regarding task management. I decided to upgrade the VCT container to Wheezy to ease the testing of these issues and Marc managed to fix or work around them. As result, he published new versions of the controller and I packed a new VCT container based on Wheezy with one of these versions. We also found some issues with the handling of new hosts in tinc that Guus helped clarify. With all this testing, node software and controller software are quickly getting really usable and stable!

Also, Pau asked me to find a way to provide Internet access (at least NAT) to Community-Lab slivers running on community networks which use private IPv4 addressing. Since tampering with community routes is not an option, we decided to follow the VPN path. I'm working on leveraging the presence of the tinc mesh already used for the management network to also provide VPN access to testbed gateways connected to the Internet. Not an easy redesign so late in the project, but I have some proposals that make everything (management network, VPN, tinc) fit quite well.

Testing the testbed

Lately I've continued with the testing that I began for the latest Battle Mesh to check that the Community-Lab testbed and CONFINE software in general are actually usable for the participants of the first Open Call. I've sent even more bug reports, but this time Axel (who fortunately restrained himself from chasing and hitting me) has had time to fix some of them so we've been in a tight loop of test-report-fix-test.

The good news is that I find the testbed in its current state to be quite usable, at least for a trusted set of researchers with close assistance from testbed developers and administrators. I even found VCT to be working (as a container!) for running test experiments, albeit some bugs which make it not work out of the box. Another important factor in usability is having good documentation but I'm afraid we're still green on that, although Davide is working on updating the BitTorrent tutorial, and documentation and support is one of this year's objectives.

Middleboxes

[T]he "dumb" Internet with end-to-end transparent routing of data is a thing of the distant past. What we have now is inflexible and somewhat hostile to the deployment of new technologies.Jonathan Corbet

Back from the Battle Mesh

Friday was my last day in this year's Wireless Battle of the Mesh. After Pau's insistence, I finally decided to attend this event for the first time, and I must say that I liked it a lot. For those of you who don't know it, it's some kind of mesh and community network-oriented event in the likes of FOSDEM, but on a much more familiar scale: we all fitted in a single room at the NOVI building in the Aalborg University, and most people already knew each other.

Tables full of wires in a wireless event.

Testbed architecture pages, upcoming Battle Mesh

I finished restructuring the testbed architecture start page to make each main topic have its own page which fits into a narrative that can be read from start to end. This should help newcomers understand how CONFINE testbeds work while gently introducing the most relevant concepts. The page that got most attention was that about the management network, which was extended to include a good introduction about its fundamental role and nature, the need for the IPv6 overlay and its tinc-based implementation. The high-level introduction of the old IPv6 overlay page was merged into that page while the low-level details where moved to the software pages.

I was also working on my demo for next week's Battle Mesh using a VCT container, but some issues make me suspect that it'll be less troublesome to test real nodes from Community-Lab where at least the server part is already set up and working. I also intend to take the chance of visiting the Battle Mesh to discuss some wild ideas that Dani, Leandro and me were informally discussing today about using Linux's kexec in the initial node system… well, more on that in another post. :)

New confine-utils repository

Since I didn't know where to publish my script for generating configuration files for all tinc hosts in a testbed's management network, and Marc pointed out that people used to ask for repositories for very small projects, we decided to create the confine-utils project and repository for hosting assorted utilities related with CONFINE testbeds. We reused the repo of Pau's firmware generator conFW (now in the confw subdir) and I also uploaded my script there (under fetch-tinc-hosts). I wanted the script to use no external dependencies but it turned out that urllib2 isn't well suited for REST API programming, so I used the excellent requests library. Now you can generate all the tinc host configuration files needed by e.g. a gateway by running python fetch_tinc_hosts.py REST_API_BASE_URI.

32-bit VCT container

Javi was unable to run the prebuilt VCT container template on his old Core Duo box since the container is 64-bit and those CPUs (though supporting hardware virtualization) are 32-bit only. He also had a hard time trying to build his own container from scratch following the instructions in the wiki because of the old version of the lxc package included in his Ubuntu install.

Software-defined networking

Manos is working on his master thesis on software-defined networking (SDN) and he's also participating in CONFINE. Together with Leandro, we had some discussions on the potential changes to CONFINE's testbed architecture to support SDN with OpenFlow, Open vSwitch and related technologies so that slices could e.g. define virtual L2 links between nodes that have no such physical links.

Defining node update mechanisms

During the last days I've been working on defining the node storage layout at a finer grain, including the specific paths to be used in filesystems and how to manage them during the boot process and operation of the node, which turned to be challenging because we're talking about a system which will probably perform two root pivots while booting.

I also specified the behaviour of the programs to manage both the node images stored in it and the persistent data sets to be shared across node images so that the gory details of mounts, paths, symbolic links, etc. are isolated from the user. I have the impression that these could be separated in two independent packages for reusing outside of CONFINE. I wouldn't be surprised if some people at the Battle Mesh showed some interest in these developments. ;)

New VCT container image with controller support

Well, here's my first post in a series that will report the progress of my current work at the CONFINE project.

Axel and Marc recently managed to integrate the CONFINE controller software into VCT. However, the installation of the controller is more invasive that that of VCT itself (change of default locale, installation and activation of system services…), so using a VCT container instead of a host installation becomes even more handy. Marc and me managed to fix some hidden issues in the controller that prevented it to be installed in a clean VCT container, and I extended the VCT container creation procedure to include the CONFINE controller and dependent software so that few packages need to be downloaded later when using different versions of the controller. The new VCT container image is available in the CONFINE images repository.

Lovely Blog Award

Lola m’ha dedicat un Lovely Blog Award. Com endevinareu per l’activitat d’aquest blog, no tinc temps per a continuar la cadena, però sí per a agraïr a Lola aquest detall tan bonic. Gràcies, Lola!

How to dump an encrypted DVD with "dd"

I'm trying to get the ISO image of a DVD but Brasero without GNOME behaves oddly and, frankly, I'm fed up with such complex programs for such a simple task. All around I see you can use dd if=/dev/dvd of=fitxer.iso to dump the DVD (I'd swear this didn't work some time ago), but my disc is encrypted with CSS and there's always an input/output error after reading part of the disc.

To my suprise, I open the DVD in VLC (which uses the libdvdcss library to decrypt it) and, after playing it for some seconds and closing VLC… dumping with dd works flawlessly! I've tried several times with several DVDs and it seems to be sistematic. Maybe there's some peculiar interaction with my DVD unit (I didn't check others), but… ain't it cool?

Com bolcar un DVD xifrat amb "dd"

Vull obtenir la imatge ISO d’un DVD però Brasero sense GNOME fa coses estranyes i, francament, ja estic un poc fart de programes tan complexos per a una tasca tan simple. Veig per tot arreu que es pot fer servir dd if=/dev/dvd of=fitxer.iso per a bolcar el DVD (juraria que açò no funcionava abans), però el disc està xifrat amb CSS i sempre es produeix un error d’entrada/sortida després d’haver llegit part del disc.

Per a la meua sorpresa, òbric el DVD amb VLC (que fa servir la biblioteca libdvdcss per a poder desxifrar‐lo) i, després de reproduir‐lo uns segons i tancar VLC… ¡el bolcat amb dd funciona a la perfecció! Ho he provat més d’una volta i amb diversos DVD i sembla que és sistemàtic. Potser siga alguna interacció peculiar amb el meu lector de DVD (no ho he provat en cap altre), però… ¿a que mola?

Boldrin i Levine sobre les patents

Karsten Gerloff de la FSFE publica unes notes que resumeixen l’últim article dels economistes Boldrin i Levine sobre el perniciós efecte de les patents: The Case Against Patents. Com podem imaginar, conclouen que les patents només valen per a que els grans jugadors bloquen l’entrada de nous al mercat, detenint la innovació, i proposen la seua abolició i substitució per un sistema de premis.